Create Custom Reports from SIEM Events or Raw Logs

Occasionally you may want to generate a report from the security events that USM Appliance detects in your environment. To do that, you need to create a report module first.

To create a custom report from security events

1. Go to Analysis > Security Events (SIEM) and perform a search to include the events you want to see.

2. Click Change View to select a predefined view.

   Predefined views include Default, Taxonomy, Reputation, Detail, Risk Analysis, and IDM. Each view displays the same events but with different columns.

3. Alternatively, click Change View and then select Create New View.

   1. In Create New Custom View, select the columns you want to see in this view.
   2. To apply the same query every time when you launch this view, select Include custom search criteria in this predefined view.
   3. Type a name for the view, and then click Create.

   USM Appliance saves your changes and refreshes the page to display the view.

4. Click Change View again and select Edit Current View.
5. In Edit Current View, click Save as Report Module at the bottom.

6. Go to Reports > All Reports, click Modules, and then expand Custom Security Events.

   See the new module listed. It has the same name as the custom view.

7. To generate the report, click the blue arrow next to the module's name, and then go through the Report Wizard.

   Notice that the report module, Custom Security Events - <name of your custom view>, is already selected for you.

8. Alternatively, follow the steps in Create a New Report from Scratch and add the new report module yourself.

USM Appliance saves the custom report under Reports > All Reports > Custom Reports. You can then run the custom reports as other built-in reports.

In addition to creating a report module from security events, you can also create one from raw logs.

To create a custom module from raw logs

1. Go to Analysis > Raw Logs and perform a search to include the entries you want to use in the report.

2. Click Predefined Searches. In the text box type a name for the search, and then click Add.

   

3. Go to Reports > All Reports, click Modules, and then expand Raw Logs.

   Note: USM Appliance saves the raw log search in a report module called Custom List, but you cannot choose it until you run the Report Wizard.

4. Click the blue arrow next to Custom List, and then go through the Report Wizard.

   Notice that the report module, Raw Logs - Custom List, is already selected for you.

5. Alternatively, follow the steps in Create a New Report from Scratch and add the new report module yourself.
6. In Step 3 of the wizard, from Filter, select the query you saved before running the report.

USM Appliance saves the custom report under Reports > All Reports > Custom Reports. You can then run the custom reports as other built-in reports.

In the USM Appliance built-in reports, each report module only appears once. Sometimes you may want to use the same module multiple times, but with different parameters. For example, you may want to generate a report on all alarms ordered by different DS groups. In this scenario, you need to save the corresponding report module as a new report module, and then add it while building the custom report. 

To create a new module from an existing one

1. Run a report following the instructions in Modify Built-in Reports.
2. In Step 3 of the wizard, locate the module you want to duplicate, change the parameters of the module as desired, and then click Add as a New Report Module.

3. In Add a New Subreport, type a name and click Add.

   USM Appliance saves the module with the changed parameters.

To use the new module in a report

1. Create a new report. For instructions, see Create Custom Reports.
2. In Step 1 of the wizard, search for the module you just saved, and then add it to your report.
3. Add more modules if you want and finish running the wizard.